Add some CI

2023-04-09 14:18:53 +01:00 · 2023-04-09 14:18:53 +01:00 · e5847d06d5
commit e5847d06d5
parent 663fa46662
6 changed files with 118 additions and 211 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,129 +0,0 @@
---
-kind: pipeline
-type: docker
-name: update-flake
-
-steps:
-  - name: Update flake
-    image: nixos/nix
-    commands:
-      - echo "substituters = https://cache.nixos.org/ https://f000.backblazeb2.com/file/cache-chir-rs/" >> /etc/nix/nix.conf
-      - echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" >> /etc/nix/nix.conf
-      - echo "experimental-features = nix-command flakes ca-derivations" >> /etc/nix/nix.conf
-      - |
-        for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do
-          nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > ../old-$job.json
-        done
-
-        nix flake update
-
-        for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do
-          nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > ../new-$job.json
-
-          nix-shell -p python3 --run "python scripts/diff-drvs.py ../old-$job.json ../new-$job.json" > ../report-$job.txt
-          cat ../report-$job.txt >> ../full-report.txt
-        done
-        if [ -s ../full-report.txt ]; then
-          echo "Automatic flake.lock update" > ../pr-message.txt
-          echo "" >> ../pr-message.txt
-          for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do
-            echo "## Changes for $job:" >> ../pr-message.txt
-            echo '```' >> ../pr-message.txt
-            cat ../report-$job.txt >> ../pr-message.txt
-            echo '```' >> ../pr-message.txt
-          done
-        else
-          touch ../pr-message.txt
-        fi
-        mv ../pr-message.txt .
-  - name: Push git
-    image: alpine:latest
-    commands:
-      - apk add git openssh git-lfs
-      - mkdir ~/.ssh
-      - echo "$SSH_KEY" > ~/.ssh/id_ed25519
-      - chmod 600 ~/.ssh/id_ed25519
-      - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts
-      - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts
-      - git remote set-url origin gitea@git.chir.rs:darkkirb/nixos-config.git
-      - git config --global 'user.email' 'gitea-bot@chir.rs'
-      - git config --global 'user.name' 'Gitea Bot'
-      - git add flake.lock
-      - git commit -m "Update flake"
-      - git push --force origin main:update-flake
-    environment:
-      SSH_KEY:
-        from_secret: SSH_KEY
-  - name: Create pull request
-    image: alpine:latest
-    commands:
-      - mv pr-message.txt ..
-      - apk add jq curl
-      - |
-        echo '{ "assignee": "DarkKirb", "base": "main", "head": "update-flake", "title": "Update flake" }' | jq '.body = $body' --arg body "$(cat ../pr-message.txt)" | curl -XPOST  'https://git.chir.rs/api/v1/repos/DarkKirb/nixos-config/pulls' -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer $AUTHORISATION" --data-binary @-
-    environment:
-      AUTHORISATION:
-        from_secret: GITEA_KEY
-trigger:
-  event:
-    - cron
-  cron:
-    - updater
---
-kind: pipeline
-type: docker
-name: hydra-deploy
-
-steps:
-  - name: Wait for hydra job
-    image: alpine:latest
-    commands:
-      - apk add jq curl
-      - |
-          while true; do
-            if [[ $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq '[.statuses[] | select(.target_url | contains("https://hydra.chir.rs/"))] | length') != 0 ]]; then
-              exit 0
-            fi
-            sleep 5
-          done
-  - name: Wait for hydra jobs to finish
-    image: alpine:latest
-    commands:
-      - apk add jq curl
-      - |
-          while true; do
-            if [[ $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq '[.statuses[] | select(.target_url | contains("https://hydra.chir.rs/")) | select(.status == "pending") ] | length') == 0 ]]; then
-              exit 0
-            fi
-            sleep 5
-          done
-  - name: Deploy successful hydra jobs
-    image: alpine:latest
-    commands:
-      - apk add jq curl git openssh
-      - mkdir ~/.ssh
-      - echo "$SSH_KEY" > ~/.ssh/id_ed25519
-      - chmod 600 ~/.ssh/id_ed25519
-      - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts
-      - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts
-      - git remote set-url origin gitea@git.chir.rs:darkkirb/nixos-config.git
-      - |
-        for build in $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq -r '.statuses[] | select(.target_url | contains("https://hydra.chir.rs/")) | select(.status == "success" ) | .target_url'); do
-          JOB_JSON=$(curl -H "Accept: application/json" $build)
-          PROJECT=$(echo "$JOB_JSON" | jq -r '.project')
-          JOBSET=$(echo "$JOB_JSON" | jq -r '.jobset' | sed 's/nixos-config-update/nixos-config/')
-          JOB=$(echo "$JOB_JSON" | jq -r '.job')
-          JOB_NAME="$PROJECT/$JOBSET/$JOB"
-          git branch $JOB_NAME || true
-          git checkout $JOB_NAME
-          git reset --hard $DRONE_COMMIT
-          git push --force -u origin $JOB_NAME
-        done
-    environment:
-      SSH_KEY:
-        from_secret: SSH_KEY
-trigger:
-  event:
-    - push
-  branch:
-    - main
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -1,48 +0,0 @@
-name: Pull request diff
-on:
-  pull_request:
-    branches:
-      - main
-jobs:
-  diff-expr:
-    name: Diff nix expressions
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v17
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28=
-            experimental-features = nix-command flakes ca-derivations
-            post-build-hook = ${{ github.workspace }}/scripts/post-build-hook
-            substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs
-      - name: Download attic
-        run: nix build github:DarkKirb/nix-packages#attic-client
-      - name: Set up secrets
-        run: nix run github:DarkKirb/nix-packages#attic-client -- login attic-server https://attic-nocdn.chir.rs/ "$ATTIC_TOKEN"
-        env:
-          ATTIC_TOKEN: ${{secrets.ATTIC_TOKEN}}
-      - run: |
-
-          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do
-            nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json
-          done
-
-          echo "Difference between this PR and main:" > review
-          echo "" >> review
-
-          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do
-            nix show-derivation -r ".#hydraJobs.$job" > new-$job.json
-
-            echo "## Changes for $job:" >> review
-            echo '```' >> review
-            python scripts/diff-drvs.py old-$job.json new-$job.json >> review
-            echo '```' >> review
-          done
-          mv review .github/workflows
-      - uses: harupy/comment-on-pr@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          filename: review
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -1,34 +0,0 @@
-name: update
-on:
-  workflow_dispatch: # allows manual triggering
-  schedule:
-    - cron: "49 7 * * *"
-jobs:
-  flake-lock:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Install Nix
-        uses: cachix/install-nix-action@v18
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-          extra_nix_config: |
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28=
-            experimental-features = nix-command flakes ca-derivations
-            post-build-hook = ${{ github.workspace }}/scripts/post-build-hook
-            substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs
-            substituters = https://cache.nixos.org/
-      - name: Set up secrets
-        run: |
-          echo "$NIX_CACHE_KEY" > ~/cache.key
-          sudo mkdir /root/.aws
-          echo "$AWS_CREDENTIALS" | sudo tee /root/.aws/credentials > /dev/null
-        env:
-          NIX_CACHE_KEY: ${{secrets.NIX_CACHE_KEY}}
-          AWS_CREDENTIALS: ${{secrets.AWS_CREDENTIALS}}
-      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v14
-        with:
-          token: ${{ secrets.GH_TOKEN }}
--- a/.woodpecker/lint.yaml
+++ b/.woodpecker/lint.yaml
@ -0,0 +1,5 @@
+pipeline:
+  check-format:
+    image: nixery.dev/shell/alejandra
+    commands:
+      - alejandra -c .
--- a/.woodpecker/pr.yaml
+++ b/.woodpecker/pr.yaml
@ -0,0 +1,50 @@
+pipeline:
+  diff-pr:
+    image: nixpkgs/nix-unstable
+    commands:
+      - mkdir -p /etc/nix
+      - |
+        cat > /etc/nix/nix.conf << EOF
+        # WARNING: this file is generated from the nix.* options in
+        # your NixOS configuration, typically
+        # /etc/nixos/configuration.nix.  Do not edit it!
+        build-users-group = nixbld
+        allowed-users = *
+        auto-optimise-store = true
+        builders-use-substitutes = true
+        require-sigs = true
+        sandbox = false
+        substituters = https://attic.chir.rs/chir-rs/ https://cache.nixos.org/
+        system-features = big-parallel benchmark ca-derivations
+        trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28=
+        trusted-substituters =
+        trusted-users = @wheel
+        experimental-features = nix-command flakes ca-derivations
+        EOF
+      - |
+          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do
+            nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json
+          done
+
+          echo "Difference between this PR and main:" > review
+          echo "" >> review
+
+          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do
+            nix show-derivation -r ".#hydraJobs.$job" > new-$job.json
+
+            echo "## Changes for $job:" >> review
+            echo '```' >> review
+            python scripts/diff-drvs.py old-$job.json new-$job.json >> review
+            echo '```' >> review
+          done
+    when:
+      - event: pull_request
+  post-review:
+    image: nixery.dev/shell/curl
+    commands:
+      - |
+        echo '{ "assignee": "DarkKirb", "base": "main", "head": "update-flake", "title": "Update flake" }' | jq '.body = $body' --arg body "$(cat review)" | curl -XPOST  'https://git.chir.rs/api/v1/repos/DarkKirb/nixos-config/pulls' -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer $AUTHORISATION" --data-binary @-
+    secrets:
+      - gitea_token
+    when:
+      - event: pull_request
--- a/.woodpecker/update.yaml
+++ b/.woodpecker/update.yaml
@ -0,0 +1,63 @@
+pipeline:
+  flake-update:
+    image: nixpkgs/nix-unstable
+    commands:
+      - mkdir -p /etc/nix
+      - |
+        cat > /etc/nix/nix.conf << EOF
+        # WARNING: this file is generated from the nix.* options in
+        # your NixOS configuration, typically
+        # /etc/nixos/configuration.nix.  Do not edit it!
+        build-users-group = nixbld
+        allowed-users = *
+        auto-optimise-store = true
+        builders-use-substitutes = true
+        require-sigs = true
+        sandbox = false
+        substituters = https://attic.chir.rs/chir-rs/ https://cache.nixos.org/
+        system-features = big-parallel benchmark ca-derivations
+        trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28=
+        trusted-substituters =
+        trusted-users = @wheel
+        experimental-features = nix-command flakes ca-derivations
+        EOF
+      - nix flake update
+    when:
+      - event: cron
+      - event: manual
+  git-push:
+    image: nixery.dev/shell/openssh/gitfull/git-lfs/gnupg/shadow
+    commands:
+      - groupadd -g 0 root
+      - useradd -u 0 -g root -d $HOME root
+      - mkdir -p ~/.ssh
+      - echo "$SSH_KEY" > ~/.ssh/id_ed25519
+      - chmod 600 ~/.ssh/id_ed25519
+      - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts
+      - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts
+      - git remote set-url origin gitea@git.chir.rs:darkkirb/nix-packages.git
+      - git config --global 'user.email' 'gitea-bot@chir.rs'
+      - git config --global 'user.name' 'Gitea Bot'
+      - echo "$GPG_KEY" | gpg --import
+      - git config --global "user.signingKey" "0x417A4BCCAB696E24"
+      - git config --global "commit.gpgSign" "true"
+      - git add .
+      - git commit -am "Update flake"
+      - git push --force origin main:update-flake
+    secrets:
+      - gpg_key
+      - ssh_key
+    when:
+      - event: cron
+      - event: manual
+  gitea-pr:
+    image: nixery.dev/shell/curl
+    commands:
+      - |
+        echo '{ "assignee": "darkkirb", "base": "main", "head": "update-flake, "title": "Update flake", "body": "" }' | curl -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" --data-binary @- 'https://git.chir.rs/api/v1/repos/darkkirb/nix-packages/pulls'
+    secrets:
+      - gitea_token
+    when:
+      - event: cron
+      - event: manual
+branches: main